Provider implementation providing client certificates during TLS
Ladislav Marko
markolad at fit.cvut.cz
Mon Feb 6 17:29:08 UTC 2023
Dear OpenSSL users,
I'm currently developing an OpenSSL provider (so I'm using OpenSSL
versions 3.0 and newer, currently self compiled 3.1.0-beta2-dev). One
key feature of the provider will be providing client certificates (from
my providers store) to servers upon request during TLS.
I've implemented decoder, keymgmt, signature and store functionalities.
To quote documentation from `SSL_CTX_set_client_cert_cb`, "When a
certificate was set using the SSL_CTX_use_certificate(3) family of
functions, it will be sent to the server.". I've used
`SSL_CTX_load_verify_store()` which I believe suffices.
Unfortunately none of my functions get called afterward when dealing
with the client certificate. And by that I mean that my store isn't
opened to see if I have matching certificates.
I've tried to circumvent this behavior with
`SSL_CTX_set_client_cert_cb()` where I load the certificate and key
manually, but to no avail. None of my implemented functions get called
and when looking at the stack trace I get lost really fast since there
is some caching happening. I'm suspicious that my functions don't get
called in this case because I have not implemented digest
functionalities. Since the last trace output I get is "Using client
verify alg SHA2-256". (Although I get that output even when not using
custom client certificate callback).
So my question is: What needs to be implemented/changed/called so
OpenSSL will use certificates from my providers store as client
certificates?
Any help would be strongly appreciated.
Ladislav Marko
More information about the openssl-users
mailing list